Someone has Remoted into a PC on my network!

James Anning

Senior Member
I have an urgent situation. I have several PC at home on a network. I'm lazy so I use Real VNC
from one PC, to hit my other PC on the netork (all password protected). I VNC onto one of my PC
and noticed the lock/logon screen was up, and a message "The PC is logged on remotly by
bobs-MacBook-Pro.local
Ut oh!! so I put in my password, and I see my mouse moving, its on a paypal page, he logged out!
(lucky for him!)...the user id was Richard@arrowpointint.com (not me see below).

http://www.aanning.com/ajissues/Hacked/Hacked1.jpg

He also was on this page:

http://www.aanning.com/ajissues/Hacked/Hacked2.jpg

I have the lot file from windows "HAcked.evtx", i'm not sure what to make of it.
(I was unable to upload the "HAcked.evtx" file here, so I attached screen shots
of one of the 20+ events there he logged in)
My only guess is, he RDP into my PC, but I have no idea as to his end game.

I have turned OFF RDP on all my PC, and made the locked screen come up after 1 minute of inactivity
for all PC.

Any advice, clues or suggestions is greatly needed here!
eventview1.jpg
eventview1.jpg
eventview2.jpg
eventview3.jpg
eventview4.jpg
 

Neemobeer

Cyber Security Engineer
Staff member
Do you have vnc exposed to the internet via a nat forwarding rule, if so I'd remove that they probably brute forced the vnc login.
 

James Anning

Senior Member
Yes, I have over 75 NAT forwarding rules, of which...all are needed. Removing them is not an option...doing so, I may as well turn off all the PC
 

bochane

Excellent Member
On the whois page you find valuable information i.e. the domain owner: Richard Louis and his email address. He should know who is using Richard@arrowpointint.com, and he should be able to block that user. But this won't help if he is misusing his domain.

I don't have THE answer but I would certainly
- close, for the time being, any and all external ways to log in;
- change my passwords;
- check very extensively for malware and viruses;
- check my bank account;
- change the app I use to log-in from an external computer, putting aside VNC,
before I would allow external access to my network again.

Hope this helps a bit
 
Last edited:

James Anning

Senior Member
I checked my paypal...no activity in months. Everyting seems fine. I informed paypal, and have sent several emails to Richard..no reply. Yes, I disabled all RDP, and Real VNC....I'm now going with TeamViewer.
I have to say, I've used the "pay for" version, Real VNC Enterprise for years...it's "ok"..this free TeamViewer, is absolutely incredible. I can not say enough good things about it..AND its free..it far far FAR exceeds any VNC tool I've used. It uses VPN, so is very secure...it does not use any ports, so no port forwarding needed. I was able to take back over 20 forwarded ports, and close them.
 

bochane

Excellent Member
That is good to hear. :up:
Don't forget to change your passwords and scan for malware and viruses.
Again, it is no guarantee but it will help.

Henk
 
Last edited:

James Anning

Senior Member
You know, I've never used any anti virus ....ever, negating this issue, I've never had any issues before. ...and I'm on line, with 20+ PC..24//7 for last 15 years...before that I was online with 1-2 PC 24.7 since there has been an on line...this is my first mishap.
THAT being said, Windows defender is only Anti-anything I even have, or know anything about.......suggestions? (please don't say Norton or Mcafee....I refuse those)
 

bochane

Excellent Member
You know, I've never used any anti virus ....ever, negating this issue, I've never had any issues before. ...and I'm on line, with 20+ PC..24//7 for last 15 years...before that I was online with 1-2 PC 24.7 since there has been an on line...this is my first mishap.
THAT being said, Windows defender is only Anti-anything I even have, or know anything about.......suggestions? (please don't say Norton or Mcafee....I refuse those)
Don't know what to answer on this.

You have been hacked. If they did not use brute force - it goes with performance degradation, which you may have noticed or found in logs - and neither you nor another user asked for remote help, they used malware.
So, as I see it, an AV is essential. You are lucky that it did not happen earlier.

There are independent testsites with reviews. Please select one from there.
 

Neemobeer

Cyber Security Engineer
Staff member
Webroot, Kaspersky, Bitdefender are good products, you can also install EMET from Microsoft which is free in addition to AV. I would consider setting up a VPN through your network preferably a SSL or IPSec, then you could remove the VNC rules and VPN in, then VNC to your systems. This would be a lot more secure.
 
Top